What Banks Don't Know About the Security Hazards of Cloud Computing

FEARING A DISCONNECT: "The tough thing is that the security policies and standards Western Union adheres to might not be shared by the cloud computing company," says David Levin, director of information security at Western Union.

As bank executives continue to debate, hesitate and worry over the security issues related to using applications that connect to the cloud, their employees are using cloud-based apps by the hundreds — often without banks' knowledge.

The average bank had 844 cloud services in use throughout its network in the third quarter of this year, according to an analysis conducted by Skyhigh Networks, far higher than bank IT departments estimated.

"If you did a survey where you asked the financial services companies themselves [how many cloud services they use], the answer would be somewhere between 32 and 34, because you approved those," said Rajiv Gupta, CEO of Skyhigh, which provides cloud security software.

The gap is because many employees are quietly downloading cloud services like Dropbox and Gmail, in the interest of being more productive, while a bank's IT department is not even aware it's happening or the potential security problems that could result. Indeed, many IT departments distrust cloud services because they do not view them as secure.

"There's a big disconnect, and it's frightening," said David Albertazzi, who is senior analyst, retail banking and payments at the Aite Group. "It's not so much about cloud computing. It's about a failure in vendor risk management programs and overall risk assessment of the institution."

Vendor management can often be overwhelming. Many banks deal with 500 to 1,000 venders, but only a handful are considered mission critical. But Albertazzi said it's important that all vendors be included in the vendor risk program so that nothing falls between the cracks.

A recent Cloud Security Alliance survey found that 52% of IT professionals in financial services have been pressured to approve an app they did not think met the company's security or compliance requirements. And IT executives themselves break the rules at times.

"I was talking to the CISO of a bank, he was nodding and taking notes, and he stopped and realized he was taking notes in Evernote, which is not an approved service at the bank," Gupta said. "He was using a service that makes him efficient."

Financial services companies do approve the use of some cloud services. The Cloud Security Alliance survey found that 24% of financial services companies have a "full steam ahead" attitude toward the cloud and another 62% of these companies are moving with caution.

But 76% of IT professionals at financial services companies said they did not know the scope of shadow IT at their companies, but wanted to know.

PROTECTING WESTERN UNION

The high rate of under-the-radar use of cloud apps in financial services companies comes as no surprise to David Levin, director of information security at Western Union.

"I think [844] is a true number across a lot of organizations," he said.

Common cloud-based apps could include Facebook and Gmail, he said.

Western Union has long had a web filter that blocked certain categories of sites (including cloud services). But frustrated users requested more and more apps to a degree that was overwhelming.

Levin, who oversees security for 10,000 corporate employees, said his biggest security concern about cloud apps is around document sharing sites like Dropbox and Box.

"Your data is in the cloud, you don't know how it's being used," Levin said. "The users don't realize the risks, they just see it as a productivity improvement product."

Sites for collaboration and project management also raise concerns, Levin said, as well as sites used for code development and analysis.

"Going to a cloud application to run a project doesn't necessarily introduce risk to the network," he said. "The tough thing is that the security policies and standards Western Union adheres to might not be shared by the cloud computing company."

As more users sign up for cloud apps, however, they're accepting those companies' terms and conditions.

Levin also worries about the authentication measures cloud providers use.

"Do they have the same password complexity? Do they offer two-factor authentication? These are all the kinds of things we typically check when we work with vendors through the proper process, and the cloud kind of bypasses all that," he said.

To address these issues, Western Union created an initiative called WISE — Western Union Information Security Enablement.

"We were all about the security team providing next-gen technology to our employees to help them do their job better, rather than saying, you can't go to that website, tough luck," Levin said. "If you tell them no, they'll go anyway. If you give them solutions that are easy to use and feel like they're next gen or make their lives easier, they'll migrate to that, and you'll reduce your risk of them going to the other side."

The company first brought in a cloud single-sign-on authentication solution called Okta, then a file transfer solution from Accellion that's similar to Box, but with added security and housed in Western Union's private cloud. It implemented Skyhigh's software to monitor the use of cloud apps and understand how the apps are being used, who's using them, and the risks of those apps.

Expect banks to pull back on energy lending in the near term, as regulators step up their scrutiny of oil loans and bankers approach the business with a "different attitude," says Mariner Kemper, chairman and chief executive at UMB Financial in Kansas City, Mo.

The post-election rise in stock prices has been a boon for investors, but it is also causing notable changes for financial institutions. Here are a number of ways that the rally can help  and hurt  the banking industry.

It's the time of year to give thanks, and for bankers some things to be grateful for include rising stock prices, a brightening M&A outlook and, most notably, the potential for regulatory relief under President-elect Donald Trump. Here is a list of developments the industry might be celebrating this Thanksgiving holiday.

Bankers are anxiously waiting to see who President-elect Donald Trump will pick as the next Treasury secretary. Several prominent names have been floated for the job, though with every passing day, a new possible choice seems to pop up. Following is a look at the current crop of candidates and their chances.

Mobile phones are only going to become a bigger part of how banks interact with their customers, so several institutions are looking to enhance that experience. They are focusing on better ways of opening accounts, verifying identities, interacting with customers and offering new services and features. Here are some of the improvements announced this year.

This year federal and state regulators have started to pay closer attention to the rapidly evolving online-lending sector  particularly online small-business lending. What follows is a look at eight key players in the debate over how to regulate this emerging industry.